README

X.509 Certificate Parser for Python

This is probably the most complete parser of X.509 certificates in python.

Requirements:
pyasn1 >= 0.1.4rc6 (or 0.1.4 once it is released)

Code is in alpha stage! Don't use for anything sensitive. I wrote it (based on
previous work of colleagues) since there is no comprehensive python parser for
X.509 certificates. Often python programmers had to parse openssl output.

Advantages:

- I find it less painful to use than parsing output of 'openssl x509'
- somewhat stricter in extension parsing compared to openssl

Disadvantages:

- it's slow compared to openssl (about 2.3x compared to RHEL's openssl-1.0-fips)
- currently not very strict in what string types in RDNs it accepts
- API is still rather ugly and has no documentation yet; code is nasty at some
  places (and there's some old dangling code like pkcs7/verifier.py)

Known bugs and quirks:

- subject alternative name now only shows DNS names (other types are ignored)
- name constraints don't distinguish among various GeneralName subtypes
- some extensions are not shown very nicely when put in string format
- not all extensions are supported
- string types accepted for various RDN subelements are rather too permissive
- RDN string conversion does not conform to RFC 4514
- badly formed extensions are ignored if not marked critical
  - easy to switch to more strict behavior
  - other clients do this as well; RFC 5280 specifies behavior for unknown
    elements in extensions in appendix B.1, but does not cover all cases (e.g.
    element exists, but with string type different from spec)